|CVE-2015-1775||Apache Ambari Server Side Request Forgery vulnerability|
Versions Affected: 1.5.0 to 2.0.2
Versions Fixed: 2.1.0
The Apache Ambari project is aimed at making Hadoop management simpler by developing software for provisioning, managing, and monitoring Apache Hadoop clusters. Ambari provides an intuitive, easy-to-use Hadoop management web UI backed by its RESTful APIs.
Apache Ambari uses a URL address parameters to communicate with Ambari agents. Server sends a HTTP request with query to particular agent and in return it gets the queried data. Basically it is achieved by a HTTP proxy, where Ambari server works as the proxy. By manipulating the query parameters send in the URL (host, path, port, query string) one can communicate with other interfaces accessible from the Ambari server, not only Ambari agents. Most of those interfaces is accessible only from the Ambari server. It is a case of Server Side Request Forgery vulnerability.
Ambari server uses a proxy mechanism to ask each Ambari agent about some data. The implementation of the proxy mechanism is located in ProxyService class from package org.apache.ambari.server.proxy.
Sample HTTP request and response to proxy looks is listed below (user have to be logged into Ambari, call is made from Jobs list):
GET /proxy?url=http://test.locald:8188/ws/v1/timeline/HIVE_QUERY_ID?limit=1&secondaryFilter=tez:true&_=1424180016625 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept-Encoding: gzip, deflate
HTTP/1.1 200 OK
An attacker needs to have a normal user account in Ambari.
* access other servers (change test.locald to something else), which can be otherwise inaccessible by the user
* access HTTP services running on other ports (change 8188 to some other port number) which can be used to two things:
* interact with those HTTP services (HTTP POST request are passed as well)
* port scan entire server and discover HTTP services running
* hide source IP of the user when interacting with other servers (Ambari IP will be seen on the targeted server)
09.03.2015 - vendor notified
10.03.2015 - vendor initial response
09.04.2015 - vendor acepted this as an issue and decided to fix
09.10.2015 - patches available
13.10.2015 - public disclosure
CWE-918: Server-Side Request Forgery (SSRF)
[CVE-2015-1775] Apache Ambari Server Side Request Forgery vulnerability